Adding a metadata proxy addon #45565
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
This change is |
k8s-github-robot
added
size/L
|
You can find the proxy image here: kubernetes-retired/contrib#2576 |
|
@k8s-bot kops aws e2e test this |
| # Note that this does not guarantee admission on the nodes (#40573). | ||
| annotations: | ||
| scheduler.alpha.kubernetes.io/critical-pod: '' | ||
| spec: |
There was a problem hiding this comment.
Resource requests are missing.
cluster/gce/gci/configure-helper.sh
Outdated
| @@ -1423,6 +1423,9 @@ function start-kube-addons { | |||
| if [[ "${ENABLE_DEFAULT_STORAGE_CLASS:-}" == "true" ]]; then | |||
| setup-addon-manifests "addons" "storage-class/gce" | |||
| fi | |||
| if [[ "${ENABLE_METADATA_PROXY:-}" == "simple" ]]; then | |||
There was a problem hiding this comment.
Why only in GCI? You should add it at least to debian, as some of our tests run on it.
There was a problem hiding this comment.
OK, I've tried adding it to configure-vm.sh and the salt files.
| - name: config-volume | ||
| mountPath: /etc/nginx/ | ||
| nodeSelector: | ||
| beta.kubernetes.io/metadata-proxy-ready: "true" |
There was a problem hiding this comment.
Why do you need this label? Similar label was introduced for fluentd because historically it ran as a manifest pod and we wanted to avoid situation where we will end up with 2 instances of fluentd.
There was a problem hiding this comment.
The label is so we'll only run it on node pools where the daemonset is enabled.
There was a problem hiding this comment.
Do you have any use where you want to have it enabled for some nodes and disabled for others within the same cluster?
There was a problem hiding this comment.
Testing and migration of existing clusters.
There was a problem hiding this comment.
Do you need to run metadata proxy addon on nodes in version 1.x+ and do not run it on nodes in version <1.x?
There was a problem hiding this comment.
That is also the case.
|
@k8s-bot unit test this |
| @@ -0,0 +1,4 @@ | |||
| approvers: | |||
| - q-lee | |||
There was a problem hiding this comment.
it'd be better to have at least one other name here to avoid the bus problem
| ============== | ||
|
|
||
| This metadata proxy returns a 403 for kubelet's secrets, but otherwise allows | ||
| pods through to the metadata server. |
| # Metadata proxy | ||
| ============== | ||
|
|
||
| This metadata proxy returns a 403 for kubelet's secrets, but otherwise allows |
There was a problem hiding this comment.
"secrets" is probably misleading here. Maybe say that it returns a 403 for the configuration data stored in kube-env.
cluster/gce/config-default.sh
Outdated
| NODE_LABELS="${KUBE_NODE_LABELS:-beta.kubernetes.io/fluentd-ds-ready=true}" | ||
| NODE_LABELS="${KUBE_NODE_LABELS:-beta.kubernetes.io/fluentd-ds-ready=true,beta.kubernetes.io/metadata-proxy-ready=true}" | ||
|
|
||
| # Turn the simple metadata proxy on by default. |
There was a problem hiding this comment.
Is defaulting this on safe? Seems like this could break workloads that happen to be depending on something they shouldn't.
There was a problem hiding this comment.
Dependencies on kube-env cannot be supported. If we're required to support unknown dependencies there, then we're unable to make just about any internal change whatsoever.
k8s-github-robot
added
the
needs-rebase
k8s-github-robot
removed
the
needs-rebase
|
@k8s-bot pull-kubernetes-e2e-kops-aws test this |
|
Squash commits, and then this ells gee to me. |
| @@ -0,0 +1,60 @@ | |||
| kind: ConfigMap | |||
There was a problem hiding this comment.
Is there an integration or e2e test that tests this configuration? i.e. the allow/deny rules are correct and work as intended?
There was a problem hiding this comment.
The happy cases should be well tested by feature tests (e.g., logging and monitoring tests should fail in the absence of a metadata server). I intend to push a negative case test after this goes in.
| labels: | ||
| addonmanager.kubernetes.io/mode: EnsureExists | ||
| data: | ||
| nginx.conf: |- |
There was a problem hiding this comment.
We should think about minimizing the work the proxy is doing here to keep it simple. I took a quick tour through options here:
http://nginx.org/en/docs/http/ngx_http_proxy_module.html
proxy_cache: do we care? Maybe this should be off, might reduce any hard-to-debug cache weirdness.
There was a problem hiding this comment.
I think proxy_cache is off by default.
http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache
|
Hate to swoop in here but this thing should be named |
|
@jbeda How gce specific is it really? Is the aws metadata server laid out much differently (that's not a rhetorical question)? Are there no secrets on the aws metadata server we would want to block using a different nginx config? Could someone want to run kube2iam using this mechanism? I did consider the directory structure metadata-proxy/gce. Perhaps that's better? It defers a lot of thinking. |
|
IIRC @piosz were reviewing this |
|
Fair enough, pinging @piosz |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
k8s-github-robot
added
the
do-not-merge
Q-Lee
added
release-note
|
/assign @mikedanese Can this get approval? |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Q-Lee, mikedanese, piosz The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-github-robot
added
the
approved
|
Automatic merge from submit-queue |
What this PR does / why we need it: adds a metadata server proxy daemonset to hide kubelet secrets.
Which issue this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close that issue when PR gets merged): this partially addresses #8867Special notes for your reviewer:
Release note: the gce metadata server can be hidden behind a proxy, hiding the kubelet's token.